Page 1 of 1
Random in Session array Memory Limit Crash
Posted: Wed Jul 22, 2009 10:29 am
by tonebari
Hi all:
I have the following in a function to call within forms:
$formid=uniqid(mt_rand(100000000, 1000000000), false);
$token=uniqid(mt_rand(100000000, 1000000000), false);
$_SESSION['token'][$formid] = $token;
$inputs='
<input type="hidden" name="formid" value = "'.$form_id.'" />
<input type="hidden" name="token" value = "'.$_SESSION['token'][$form_id].'" />';
return $inputs;
Line 3 crashes the server: out of memory. I have tried simpler random generators with the same net result. What am I doing wrong? Thank YOU!
Re: Random in Session array Memory Limit Crash
Posted: Wed Jul 22, 2009 10:40 am
by jackpf
I just tried it and it worked fine.
And I'm on a sh|tty laptop with 256mb memory.
Re: Random in Session array Memory Limit Crash
Posted: Wed Jul 22, 2009 2:33 pm
by tonebari
Yeah, I dunno. I ended up switching around the array by swapping the position the random string and the 'formid' and it worked. However, I had this both locally and remote and it did the same thing on both machines. Here's what ended up working:
function form_token_string(){
$formid=(string)uniqid(mt_rand(100000000, 1000000000), false);
$token=(string)uniqid(mt_rand(100000000, 1000000000), false);
$_SESSION[$formid]['token'] = $token;
$inputs='<input type="hidden" name="formid" value = "'.$formid.'" />
<input type="hidden" name="token" value = "'.$_SESSION[$formid]['token'].'" />';
return $inputs;
}
Thanks!
Re: Random in Session array Memory Limit Crash
Posted: Thu Jul 23, 2009 6:44 am
by jackpf
If you're running this on like...every page, then I guess the session could just get so huge, because you're creating a new key for it as well every time.
So instead of overwriting the last one, you're creating a new one. It seems kind of pointless as well tbh...why do you need two random strings?
Re: Random in Session array Memory Limit Crash
Posted: Thu Jul 23, 2009 9:58 am
by tonebari
Here's my reason:
function require_token(){ // this is called in each form processor
$valid=true;
if(!isset($_REQUEST['formid'])){
$valid=false;
} else {
$id=$_REQUEST['formid'];
if($_REQUEST['token']!=$_SESSION[$id]['token']){
$valid=false;
}
}
if(!$valid) { die('Access denied'); }
}
Since there are multiple forms on many pages, I have to be able to validate security tokens for each one. You are right: session data does get big. I have this site sessions in a db, and there is cleanup. Funny, my cleanup function had an error and after I implemented db sessions, I came back in 4 days and there were thousands of sessions. LOL
Re: Random in Session array Memory Limit Crash
Posted: Thu Jul 23, 2009 10:21 am
by jackpf
I just have a hidden input, with a random number, a cookie with the same number, and if they don't match on submit, then display an error.
It works well enough...I still don't see why two random strings are necessary.